David Shaw, Purdue’s chief information security officer, says ITaP often advises individuals to be suspicious of links within emails, particularly when messages are aimed at prompting immediate action. But because so many phishing scams spoof official correspondence, it’s sometimes difficult to distinguish real email from malicious email.

“One thing that would help eliminate confusion would be to direct people to a site as opposed to sending them a direct link,” Shaw says. “For example, instead of sending a hyperlink to www.purdue.edu, you could instruct people to go to the Purdue home page and click on a particular link.”

Shaw also sees many official messages that contain boilerplate text, often automatically generated, which spammers frequently copy to make their messages appear more authentic. As a result, Shaw recommends that individuals craft messages personally and include details designed to let recipients know that the message is legitimate.

Shaw also encourages email recipients to ask themselves the following questions when browsing their inbox.

“These questions serve as general guidelines for identifying phishing attempts,” Shaw says. “The more red flags you see in an email, the more likely it’s not legitimate.”

Does the message contain general salutations and signatures? Most phishing attempts begin with generic phrases like “Greetings valued customer,” or “Dear account user.” Most legitimate companies, on the other hand, will include an intended recipient’s name in their correspondence. Another indication of a phishing attempt is a general signature at the end of the message, such as “Purdue Messaging Group.”

Are the URLs legitimate? Emails containing Web links should always be questioned. One way to verify a link’s legitimacy is to hover your mouse cursor over embedded links and make sure the link uses encryption (https://). Also, if the link in the text isn’t identical to the URL displayed when you hover the cursor over the link, that’s a sure sign it’s taking you somewhere you don’t want to go. Another best practice: open a new browser window and visit a site directly by pasting in its Web address, or URL, rather than simply clicking the link in an email and going wherever it takes you.

Is the sender requesting personal information? Providing personal information through email or by phone in response to an unsolicited request is always a bad idea. Messages soliciting passwords, Social Security numbers and other personal information are scams.

Is the email asking you to take immediate action? Hackers want you to respond without thinking. Phishing emails might even claim a response is required within a short time frame because your account has been compromised. Watch out for language directing you to update an account, download an attachment, visit a website, provide personal information, etc.

Is the email making promises that seem too good to be true? Then they probably are. Any message offering to put money in your bank account with a single click is a scam.

Are there misspellings or typos? An email from a legitimate organization should be well-written. Grammar and spelling mistakes are red flags.

What to do if you receive a phishing email:

When you see suspicious email in your Purdue inbox that’s not already flagged as a phishing attempt, report it to abuse@purdue.edu with the original email attached to preserve its header information. Doing so helps Purdue’s security team review the message and advise if it is legitimate. The security team also can take measures to block fraudulent websites.

To attach an email in Windows using Outlook with Purdue’s Exchange service, create a new message and choose “Attach Item” from the dropdown list on the message menu bar. Then select “Outlook item,” and attach the email in question. On a Mac, right click or control click on the suspicious message and choose “Forward Special” and “As Attachment” from the dropdown list.